Introduction
In order to be able to use the vault-ssh-helper for SSH one time password authentication on Red Hat servers, the /etc/pam.d/sshd configuration file has to be modified. This article provides an example of a modified/etc/pam.d/sshdconfiguration file.
Expected Outcome
If configured correctly SSH authentication requests are redirected to the Vault SSH secrets engine instead of using the local /etc/passwd file and SSH One Time Password authentication will be used.
Prerequisites (if applicable)
- HashiCorp Vault
- SSH Secrets Engine
- vault-ssh-helper
Use Case
The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server to issue a One-Time Password every time a client wants to SSH into a remote host using a helper command on the remote host to perform verification.
An authenticated client requests credentials from the Vault server and, if authorized, is issued an OTP. When the client establishes an SSH connection to the desired remote host, the OTP used during SSH authentication is received by the Vault helper, which then validates the OTP with the Vault server. The Vault server then deletes this OTP, ensuring that it is only used once.
Since the Vault server is contacted during SSH connection establishment, every login attempt and the correlating Vault lease information is logged to the audit secrets engine.
Procedure
Please find an example of the original /etc/pam.d/sshd file below:
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
Please find an example of a modified /etc/pam.d/sshd file below:
#%PAM-1.0
auth requisite pam_exec.so quiet expose_authtok log=/var/log/vaultssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl
auth optional pam_unix.so use_first_pass nodelay
#auth substack password-auth
#auth include postlogin
#account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
#password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
The vault-ssh-helper is configured to run in development mode using the -dev parameter. The configuration file config.hcl is specified with -config parameter and while running it logs output to /var/log/vault-ssh.log using the -log parameter.
The following sections have been commented out from the original /etc/pam.d/sshd file.
#auth substack password-auth
#auth include postlogin
#account required pam_sepermit.so
#password include password-auth